Merge changes from topic "sp_dual_signing" into integration

* changes:
  dualroot: add chain of trust for Platform owned SPs
  cert_create: add Platform owned secure partitions support

drivers/auth/dualroot/cot.c

@@ -743,29 +743,60 @@ static const auth_img_desc_t sip_sp_content_cert = {
 				.ptr = (void *)sp_pkg_hash_buf[3],
 				.len = (unsigned int)HASH_DER_LEN
 			}
+		}
+	}
+};
+
+DEFINE_SIP_SP_PKG(1);
+DEFINE_SIP_SP_PKG(2);
+DEFINE_SIP_SP_PKG(3);
+DEFINE_SIP_SP_PKG(4);
+
+static const auth_img_desc_t plat_sp_content_cert = {
+	.img_id = PLAT_SP_CONTENT_CERT_ID,
+	.img_type = IMG_CERT,
+	.parent = NULL,
+	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
+		[0] = {
+			.type = AUTH_METHOD_SIG,
+			.param.sig = {
+				.pk = &prot_pk,
+				.sig = &sig,
+				.alg = &sig_alg,
+				.data = &raw_data
+			}
 		},
-		[4] = {
+		[1] = {
+			.type = AUTH_METHOD_NV_CTR,
+			.param.nv_ctr = {
+				.cert_nv_ctr = &non_trusted_nv_ctr,
+				.plat_nv_ctr = &non_trusted_nv_ctr
+			}
+		}
+	},
+	.authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
+		[0] = {
 			.type_desc = &sp_pkg5_hash,
 			.data = {
 				.ptr = (void *)sp_pkg_hash_buf[4],
 				.len = (unsigned int)HASH_DER_LEN
 			}
 		},
-		[5] = {
+		[1] = {
 			.type_desc = &sp_pkg6_hash,
 			.data = {
 				.ptr = (void *)sp_pkg_hash_buf[5],
 				.len = (unsigned int)HASH_DER_LEN
 			}
 		},
-		[6] = {
+		[2] = {
 			.type_desc = &sp_pkg7_hash,
 			.data = {
 				.ptr = (void *)sp_pkg_hash_buf[6],
 				.len = (unsigned int)HASH_DER_LEN
 			}
 		},
-		[7] = {
+		[3] = {
 			.type_desc = &sp_pkg8_hash,
 			.data = {
 				.ptr = (void *)sp_pkg_hash_buf[7],
@@ -775,14 +806,10 @@ static const auth_img_desc_t sip_sp_content_cert = {
 	}
 };
 
-DEFINE_SIP_SP_PKG(1);
+DEFINE_PLAT_SP_PKG(5);
-DEFINE_SIP_SP_PKG(2);
+DEFINE_PLAT_SP_PKG(6);
-DEFINE_SIP_SP_PKG(3);
+DEFINE_PLAT_SP_PKG(7);
-DEFINE_SIP_SP_PKG(4);
+DEFINE_PLAT_SP_PKG(8);
-DEFINE_SIP_SP_PKG(5);
-DEFINE_SIP_SP_PKG(6);
-DEFINE_SIP_SP_PKG(7);
-DEFINE_SIP_SP_PKG(8);
 #endif /* SPD_spmd */
 
 #else  /* IMAGE_BL2 */
@@ -915,6 +942,7 @@ static const auth_img_desc_t * const cot_desc[] = {
 	[NT_FW_CONFIG_ID]			=	&nt_fw_config,
 #if defined(SPD_spmd)
 	[SIP_SP_CONTENT_CERT_ID]		=	&sip_sp_content_cert,
+	[PLAT_SP_CONTENT_CERT_ID]		=	&plat_sp_content_cert,
 	[SP_PKG1_ID]				=	&sp_pkg1,
 	[SP_PKG2_ID]				=	&sp_pkg2,
 	[SP_PKG3_ID]				=	&sp_pkg3,

include/common/tbbr/tbbr_img_def.h

@@ -11,16 +11,17 @@
 
 #if defined(SPD_spmd)
 #define SIP_SP_CONTENT_CERT_ID		MAX_IMAGE_IDS
-#define SP_PKG1_ID			(MAX_IMAGE_IDS + 1)
+#define PLAT_SP_CONTENT_CERT_ID		(MAX_IMAGE_IDS + 1)
-#define SP_PKG2_ID			(MAX_IMAGE_IDS + 2)
+#define SP_PKG1_ID			(MAX_IMAGE_IDS + 2)
-#define SP_PKG3_ID			(MAX_IMAGE_IDS + 3)
+#define SP_PKG2_ID			(MAX_IMAGE_IDS + 3)
-#define SP_PKG4_ID			(MAX_IMAGE_IDS + 4)
+#define SP_PKG3_ID			(MAX_IMAGE_IDS + 4)
-#define SP_PKG5_ID			(MAX_IMAGE_IDS + 5)
+#define SP_PKG4_ID			(MAX_IMAGE_IDS + 5)
-#define SP_PKG6_ID			(MAX_IMAGE_IDS + 6)
+#define SP_PKG5_ID			(MAX_IMAGE_IDS + 6)
-#define SP_PKG7_ID			(MAX_IMAGE_IDS + 7)
+#define SP_PKG6_ID			(MAX_IMAGE_IDS + 7)
-#define SP_PKG8_ID			(MAX_IMAGE_IDS + 8)
+#define SP_PKG7_ID			(MAX_IMAGE_IDS + 8)
+#define SP_PKG8_ID			(MAX_IMAGE_IDS + 9)
 #define MAX_SP_IDS			U(8)
-#define MAX_NUMBER_IDS			(MAX_IMAGE_IDS + MAX_SP_IDS + U(1))
+#define MAX_NUMBER_IDS			(MAX_IMAGE_IDS + MAX_SP_IDS + U(2))
 #else
 #define MAX_NUMBER_IDS			MAX_IMAGE_IDS
 #endif

include/drivers/auth/auth_mod.h

@@ -51,11 +51,15 @@ extern const size_t cot_desc_size;
 extern unsigned int auth_img_flags[MAX_NUMBER_IDS];
 
 #if defined(SPD_spmd)
-#define DEFINE_SIP_SP_PKG(n) \
+
+#define DEFINE_SIP_SP_PKG(n)		DEFINE_SP_PKG(n, sip_sp_content_cert)
+#define DEFINE_PLAT_SP_PKG(n)		DEFINE_SP_PKG(n, plat_sp_content_cert)
+
+#define DEFINE_SP_PKG(n, cert) \
 	static const auth_img_desc_t sp_pkg##n = { \
 		.img_id = SP_PKG##n##_ID, \
 		.img_type = IMG_RAW, \
-		.parent = &sip_sp_content_cert, \
+		.parent = &cert, \
 		.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { \
 			[0] = { \
 				.type = AUTH_METHOD_HASH, \
@@ -66,6 +70,7 @@ extern unsigned int auth_img_flags[MAX_NUMBER_IDS];
 			} \
 		} \
 	}
+
 #endif
 
 #endif /* TRUSTED_BOARD_BOOT */

include/tools_share/firmware_image_package.h

@@ -66,6 +66,8 @@
 	{{0x8e,  0xc4, 0xc1, 0xf3}, {0x5d, 0x63}, {0xe4, 0x11}, 0xa7, 0xa9, {0x87, 0xee, 0x40, 0xb2, 0x3f, 0xa7} }
 #define UUID_SIP_SECURE_PARTITION_CONTENT_CERT \
 	{{0x77,  0x6d, 0xfd, 0x44}, {0x86, 0x97}, {0x4c, 0x3b}, 0x91, 0xeb, {0xc1, 0x3e, 0x02, 0x5a, 0x2a, 0x6f} }
+#define UUID_PLAT_SECURE_PARTITION_CONTENT_CERT \
+	{{0xdd,  0xcb, 0xbf, 0x4a}, {0xca, 0xd6}, {0x11, 0xea}, 0x87, 0xd0, {0x02, 0x42, 0xac, 0x13, 0x00, 0x03} }
 /* Dynamic configs */
 #define UUID_HW_CONFIG \
 	{{0x08,  0xb8, 0xf1, 0xd9}, {0xc9, 0xcf}, {0x93, 0x49}, 0xa9, 0x62, {0x6f, 0xbc, 0x6b, 0x72, 0x65, 0xcc} }

lib/debugfs/devfip.c

@@ -76,7 +76,8 @@ static const struct uuidnames uuidnames[] = {
 	{"fw.cfg",		UUID_FW_CONFIG},
 	{"rot-k.crt",		UUID_ROT_KEY_CERT},
 	{"nt-k.crt",		UUID_NON_TRUSTED_WORLD_KEY_CERT},
-	{"sip-sp.crt",		UUID_SIP_SECURE_PARTITION_CONTENT_CERT}
+	{"sip-sp.crt",		UUID_SIP_SECURE_PARTITION_CONTENT_CERT},
+	{"plat-sp.crt",		UUID_PLAT_SECURE_PARTITION_CONTENT_CERT}
 };
 
 /*******************************************************************************

make_helpers/tbbr/tbbr_tools.mk

@@ -103,4 +103,7 @@ endif
 # Add SiP owned Secure Partitions CoT (image cert)
 ifneq (${SP_LAYOUT_FILE},)
     $(eval $(call TOOL_ADD_PAYLOAD,${BUILD_PLAT}/sip_sp_content.crt,--sip-sp-cert))
+ifeq (${COT},dualroot)
+    $(eval $(call TOOL_ADD_PAYLOAD,${BUILD_PLAT}/plat_sp_content.crt,--plat-sp-cert))
+endif
 endif

tools/cert_create/include/dualroot/cot.h

@@ -23,6 +23,7 @@ enum {
 
 	/* Certificates owned by the platform owner. */
 	NON_TRUSTED_FW_CONTENT_CERT,
+	PLAT_SECURE_PARTITION_CONTENT_CERT,
 };
 
 /* Certificate extensions. */

tools/cert_create/src/dualroot/cot.c

@@ -152,12 +152,27 @@ static cert_t cot_certs[] = {
 			SP_PKG2_HASH_EXT,
 			SP_PKG3_HASH_EXT,
 			SP_PKG4_HASH_EXT,
+		},
+		.num_ext = 5
+	},
+
+	[PLAT_SECURE_PARTITION_CONTENT_CERT] = {
+		.id = PLAT_SECURE_PARTITION_CONTENT_CERT,
+		.opt = "plat-sp-cert",
+		.help_msg = "Platform owned Secure Partition Content Certificate (output file)",
+		.fn = NULL,
+		.cn = "Platform owned Secure Partition Content Certificate",
+		.key = PROT_KEY,
+		.issuer = PLAT_SECURE_PARTITION_CONTENT_CERT,
+		.ext = {
+			NON_TRUSTED_FW_NVCOUNTER_EXT,
 			SP_PKG5_HASH_EXT,
 			SP_PKG6_HASH_EXT,
 			SP_PKG7_HASH_EXT,
 			SP_PKG8_HASH_EXT,
+			PROT_PK_EXT,
 		},
-		.num_ext = 9
+		.num_ext = 6
 	},
 
 	[FWU_CERT] = {

tools/fiptool/tbbr_config.c

@@ -161,6 +161,11 @@ toc_entry_t toc_entries[] = {
 		.uuid = UUID_SIP_SECURE_PARTITION_CONTENT_CERT,
 		.cmdline_name = "sip-sp-cert"
 	},
+	{
+		.name = "Platform owned Secure Partition content certificate",
+		.uuid = UUID_PLAT_SECURE_PARTITION_CONTENT_CERT,
+		.cmdline_name = "plat-sp-cert"
+	},
 	{
 		.name = NULL,
 		.uuid = { {0} },